LDAP library follows referrals received in ldap response by default.
This commit adds a param ldap_follow_referrals for umich_schema to control
the behaviour. The default value of this tunable is 'true' i.e set to
follow referrals. This is similar to nslcd::referrals param.
Signed-off-by: Srikrishan Malik <srikrishanmalik@xxxxxxxxx>
---
support/nfsidmap/idmapd.conf | 3 +++
support/nfsidmap/idmapd.conf.5 | 3 +++
support/nfsidmap/umich_ldap.c | 25 ++++++++++++++++++++++++-
3 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/support/nfsidmap/idmapd.conf b/support/nfsidmap/idmapd.conf
index aeeca1bf..2a2f79a1 100644
--- a/support/nfsidmap/idmapd.conf
+++ b/support/nfsidmap/idmapd.conf
@@ -98,6 +98,9 @@ LDAP_base = dc=local,dc=domain,dc=edu
# absolute search base for groups
#LDAP_group_base = <LDAP_base>
+# Whether to follow ldap referrals
+#LDAP_follow_referrals = true
+
# Set to true to enable SSL - anything else is not enabled
#LDAP_use_ssl = false
diff --git a/support/nfsidmap/idmapd.conf.5 b/support/nfsidmap/idmapd.conf.5
index d2fd3a20..f5b18167 100644
--- a/support/nfsidmap/idmapd.conf.5
+++ b/support/nfsidmap/idmapd.conf.5
@@ -239,6 +239,9 @@ name given as
.B LDAP_server
(Default: "true")
.TP
+.B LDAP_follow_referrals
+Whether or not to follow ldap referrals. (Default: "true")
+.TP
.B LDAP_use_ssl
Set to "true" to enable SSL communication with the LDAP server.
(Default: "false")
diff --git a/support/nfsidmap/umich_ldap.c b/support/nfsidmap/umich_ldap.c
index d5a7731a..c475d379 100644
--- a/support/nfsidmap/umich_ldap.c
+++ b/support/nfsidmap/umich_ldap.c
@@ -115,6 +115,7 @@ struct umich_ldap_info {
looking up user groups */
int ldap_timeout; /* Timeout in seconds for searches
by ldap_search_st */
+ int follow_referrals; /* whether to follow ldap referrals */
char *sasl_mech; /* sasl mech to be used */
char *sasl_realm; /* SASL realm for SASL authentication */
char *sasl_authcid; /* authentication identity to be used */
@@ -139,6 +140,7 @@ static struct umich_ldap_info ldap_info = {
.tls_reqcert = LDAP_OPT_X_TLS_HARD,
.memberof_for_groups = 0,
.ldap_timeout = DEFAULT_UMICH_SEARCH_TIMEOUT,
+ .follow_referrals = 1,
.sasl_mech = NULL,
.sasl_realm = NULL,
.sasl_authcid = NULL,
@@ -346,6 +348,15 @@ ldap_init_and_bind(LDAP **pld,
ldap_set_option(ld, LDAP_OPT_SIZELIMIT, (void *)sizelimit);
}
+ lerr = ldap_set_option(ld, LDAP_OPT_REFERRALS,
+ linfo->follow_referrals ? (void *)LDAP_OPT_ON :
+ (void *)LDAP_OPT_OFF);
+ if (lerr != LDAP_SUCCESS) {
+ IDMAP_LOG(2, ("ldap_init_and_bind: setting LDAP_OPT_REFERRALS "
+ "failed: %s (%d)", ldap_err2string(lerr), lerr));
+ goto out;
+ }
+
/* Set option to to use SSL/TLS if requested */
if (linfo->use_ssl) {
int tls_type = LDAP_OPT_X_TLS_HARD;
@@ -1310,7 +1321,7 @@ out_err:
static int
umichldap_init(void)
{
- char *tssl, *canonicalize, *memberof, *cert_req;
+ char *tssl, *canonicalize, *memberof, *cert_req, *follow_referrals;
char missing_msg[128] = "";
char *server_in, *canon_name;
@@ -1378,6 +1389,16 @@ umichldap_init(void)
ldap_info.sasl_krb5_ccname = conf_get_str(LDAP_SECTION,
"LDAP_sasl_krb5_ccname");
+ follow_referrals = conf_get_str_with_def(LDAP_SECTION,
+ "LDAP_follow_referrals",
+ "true");
+ if ((strcasecmp(follow_referrals, "true") == 0) ||
+ (strcasecmp(follow_referrals, "on") == 0) ||
+ (strcasecmp(follow_referrals, "yes") == 0))
+ ldap_info.follow_referrals = 1;
+ else
+ ldap_info.follow_referrals = 0;
+
/* Verify required information is supplied */
if (server_in == NULL || strlen(server_in) == 0)
strncat(missing_msg, "LDAP_server ", sizeof(missing_msg)-1);
@@ -1542,6 +1563,8 @@ umichldap_init(void)
ldap_info.sasl_canonicalize));
IDMAP_LOG(1, ("umichldap_init: sasl_krb5_ccname: %s",
ldap_info.sasl_krb5_ccname));
+ IDMAP_LOG(1, ("umichldap_init: follow_referrals: %s",
+ ldap_info.follow_referrals ? "yes" : "no"));
IDMAP_LOG(1, ("umichldap_init: NFSv4_person_objectclass : %s",
ldap_map.NFSv4_person_objcls));
--
2.25.1
